1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Thu, 19 Mar 2015 18:58:44 -0400
Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a
URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that
doesn't have the same scheme. r=bholley, a=abillings
---
caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
index 3587358..6577b95 100644
--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
NS_ENSURE_SUCCESS(rv, rv);
if (hasFlags) {
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
+
+ // For now, don't change behavior for resource:// or moz-icon:// and
+ // just allow them.
if (!targetScheme.EqualsLiteral("chrome")) {
- // for now don't change behavior for resource: or moz-icon:
return NS_OK;
}
- // allow load only if chrome package is whitelisted
+ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
+ // target if ALLOW_CHROME is set.
+ //
+ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
+ // loads (since docshell loads run the loaded content with its origin
+ // principal). So we're effectively allowing resource://, chrome://,
+ // and moz-icon:// source URIs to load resource://, chrome://, and
+ // moz-icon:// files, so long as they're not loading it as a document.
+ bool sourceIsUIResource;
+ rv = NS_URIChainHasFlags(sourceBaseURI,
+ nsIProtocolHandler::URI_IS_UI_RESOURCE,
+ &sourceIsUIResource);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (sourceIsUIResource) {
+ return NS_OK;
+ }
+
+ // Allow the load only if the chrome package is whitelisted.
nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
NS_CHROMEREGISTRY_CONTRACTID));
if (reg) {
@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
}
}
- // resource: and chrome: are equivalent, securitywise
- // That's bogus!! Fix this. But watch out for
- // the view-source stylesheet?
- bool sourceIsChrome;
- rv = NS_URIChainHasFlags(sourceBaseURI,
- nsIProtocolHandler::URI_IS_UI_RESOURCE,
- &sourceIsChrome);
- NS_ENSURE_SUCCESS(rv, rv);
- if (sourceIsChrome) {
+ // Special-case the hidden window: it's allowed to load
+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
+ nsAutoCString sourceSpec;
+ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
return NS_OK;
}
+
if (reportErrors) {
ReportError(nullptr, errorTag, sourceURI, aTargetURI);
}
--
2.2.1
|
